Security teams may finally understand how to forge strong defences against online attacks, a new report suggests.

In its fifth annual State of Security Operations Report, which studies the efforts of 144 security operations centres in organizations across 33 countries, Micro Focus concluded that in 2017 there was “a turning of tide” after seeing cyber defense programs “zig and zag in terms of maturity.”

“Over the last five years, 25 percent of organizations assessed are meeting business goals and are working toward or have achieved recommended maturity levels,” says the report, which was released Monday. That’s a seven per cent improvement over the findings in 2016 , and a 12 per cent improvement over the last three years, says the study.

However, it adds, only five per cent of assessed organizations were operating at recommended target levels of capability and maturity.

In fact 20 percent of cyber defense organizations assessed over the past five years failed to meet the study’s level 1 security operations maturity model standards. “These organizations continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management. Although the number is still higher than we would like to see, this shift was also an overall improvement over the trend established in previous years.”

The report’s author say the most important success criteria for a mature cyber defense capability is reliable detection of malicious activity and threats to the organization and a systematic approach to manage those threats that fully leverages the people, processes, and technology available to the organization.

Yet “most security operations centers continue to be over-invested in technologies, often failing to take full advantage of each tool’s capabilities. In spite of heavy technology investment, many struggle to prevent, detect, respond, and recover from cyber security attacks. Timely response outcomes are possible only
through repeatable, mature operations, when organizations establish a culture that keeps up with the dynamics of IT, risk, and regulatory change.

The State of Security Operations Report was created and released by Hewlett-Packard, and, after it split, Hewlett-Packard Enterprise. However, last September HPE sold its software division, including security services, to U.K.-based Micro Focus for about US$8.8 billion.

The study measures participating organizations using a security operations maturity model partly based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI). The ideal composite maturity score for a modern enterprise cyber defense capability is level 3 on a five-point scale, the report says, where the capability is “defined.” This is achieved with a complimentary mixture of agility for certain processes and high maturity for others. The most advanced security operations centers in the world will typically achieve an overall score between a level 3 and level 4—there are very few of these organizations in existence today, says the report.

In the most recent report the median maturity of all security operations centres (SCO) studied reached 1.42. (Previous reports have taken a broad definition of an SOC).

“While SOCs in this range are generally getting the job done,” the report says, the authors often see a lack of repeatability, metrics, and continuous improvement. That means the effectiveness and sustainability of those cyber defense programs are unpredictable across most organizations, it points out.

Among the best SOCs the authors saw a much higher degree of operational sophistication than ever before. Organizations are:
■ quickly shifting to co-managed operations in partnership with vendors and niche providers to overcome the global shortage of cyber security talent;
■ rapidly adopting security orchestration, automation, and response solutions to gain efficiencies and repeatability in the handling of high fidelity alerts;
■ systematically investing in the development of Security Fusion Centers that can span the operational overlap of multiple domains such as data security and compliance, monitoring for insider threats and privileged access through behavior analytics, and building effective consolidated operations and incident response for hunt, threat intelligence and IT operations.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.